45 lines
1.8 KiB
Diff
45 lines
1.8 KiB
Diff
From e1832eb20a7089f6383cfce474f213157f5300cb Mon Sep 17 00:00:00 2001
|
|
From: Johannes Schindelin <johannes.schindelin@gmx.de>
|
|
Date: Wed, 18 Sep 2019 16:33:18 +0200
|
|
Subject: [PATCH] path: also guard `.gitmodules` against NTFS Alternate Data
|
|
Streams
|
|
|
|
We just safe-guarded `.git` against NTFS Alternate Data Stream-related
|
|
attack vectors, and now it is time to do the same for `.gitmodules`.
|
|
|
|
Note: In the added regression test, we refrain from verifying all kinds
|
|
of variations between short names and NTFS Alternate Data Streams: as
|
|
the new code disallows _all_ Alternate Data Streams of `.gitmodules`, it
|
|
is enough to test one in order to know that all of them are guarded
|
|
against.
|
|
|
|
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
|
---
|
|
src/path.c | 2 +-
|
|
tests/path/dotgit.c | 1 +
|
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/path.c b/src/path.c
|
|
index 7844da67227..b3a8fc32f83 100644
|
|
--- a/src/path.c
|
|
+++ b/src/path.c
|
|
@@ -1646,7 +1646,7 @@ GIT_INLINE(bool) only_spaces_and_dots(const char *path)
|
|
const char *c = path;
|
|
|
|
for (;; c++) {
|
|
- if (*c == '\0')
|
|
+ if (*c == '\0' || *c == ':')
|
|
return true;
|
|
if (*c != ' ' && *c != '.')
|
|
return false;
|
|
diff --git a/tests/path/dotgit.c b/tests/path/dotgit.c
|
|
index 30996694512..ceb7330d248 100644
|
|
--- a/tests/path/dotgit.c
|
|
+++ b/tests/path/dotgit.c
|
|
@@ -116,4 +116,5 @@ void test_path_dotgit__dotgit_modules_symlink(void)
|
|
cl_assert_equal_b(true, git_path_isvalid(NULL, ".gitmodules", 0, GIT_PATH_REJECT_DOT_GIT_HFS|GIT_PATH_REJECT_DOT_GIT_NTFS));
|
|
cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_HFS));
|
|
cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
|
|
+ cl_assert_equal_b(false, git_path_isvalid(NULL, ".gitmodules . .::$DATA", S_IFLNK, GIT_PATH_REJECT_DOT_GIT_NTFS));
|
|
}
|